Open Source Security
Welcome at » eCryptfs in Fedora 8

eCryptfs in Fedora 8

One of the most exciting new features in Fedora 8 will be eCryptfs. I downloaded the latest test release of Fedora 8 just to try it out. Mike Halcrow has done a terrific job writing the code, getting it and design documents reviewed and letting people know about eCryptfs. He has written two OLS papers ([1] and [2]) and one Linux Journal article [3] about the design and implementation of eCryptfs. The nice thing about eCryptfs is that it provides per file encryption rather than requiring that the entire block device be encrypted like dm-crypt. This means that if you want to backup the encrypted content and one file changes, on an incremental backup only that one file will be added to the incremental backup, rather than the complete encrypted file system blob.

In Fedora 8, eCryptfs user space packages are not installed by default, so first you have to install them:
yum -y install ecryptfs-utils.i386
and optionally
ecryptfs-utils-dev.i386 for the development libraries.

The eCryptfs module is not loaded by default, so to use eCryptfs, you have to load it, as root:
modprobe ecryptfs

Next you create the confidential directory and mount it, as root:
mkdir crypted Confidential
mount -t ecryptfs crypted Confidential
You are then prompted for a passphrase and given the choice if Ciphers:
Cipher
1) CAST5
2) Blowfish
3) AES-128
4) AES-192
5) AES-256
6) CAST6
7) Triple-DES
8) Twofish

Next enter the Confidential directory and start typing in your secrets:
vi Confidential/donttell.txt
and BAM! AVC denials creating the .swp file and you can’t save your file. The Confidential gets mounted as system_u:object_r:unlabeled_t:s0 which vi is not permitted to write to. You have to mount with the option context=system_u:object_r:user_home_t:s0 in order to be able to create files in the Confidential directory when SELinux is enforcing.

Mike’s Linux Journal article has a few more hints on how to customize your .ecryptfsrc file and use ecryptfs-manager which I highly recommend. The ecryptfs-utils package is totally void of man pages and other useful documentation which I fully expect will be remedied in short order. Mike has done a lot of work with the IBM internal Linux Open Client to make eCryptfs totally transparent to the end user. It looks like some of the code and binaries made it into Fedora 8 but the level of integration is not complete. Hopefully, this is something that Mike and the Fedora community will agree to in Fedora 9.

[0] eCryptfs home page at http://ecryptfs.sourceforge.net/
[1] OLS 2004: Demands, Solutions, and Improvements for Linux Filesystem Security at http://www.linuxsymposium.org/proceedings/reprints/Reprint-Halcrow-OLS2004.pdf
[2] OLS 2005: eCryptfs: An Enterprise-class Cryptographic Filesystem
for Linux
at http://ecryptfs.sourceforge.net/ecryptfs.pdf
[3] eCryptfs: a Stacked Cryptographic Filesystem at http://www.linuxjournal.com/article/9400

Comments are closed.